From time to time authors of effective and long-lived Trojans and viruses create new modifications and forks of them, like any other software authors. One of the brightest examples amongst them is Zeus (Trojan-Spy.Win32.Zbot, based on classification of “Kaspersky Lab”), which continues to spawn new modifications of itself each year. In a strange way this malware becomes similar to his prototype from Greek mythology. We can also attribute such malware familes as Mirai, NJRat, Andromeda and so on to this “prolific” group. Malware named “Neutrino” takes an important place in this row of well-known trojans, providing various types of infection, spreading and a useful payload.
In this article we analyze a very special species – a variant which could collect credit card information from POS.
Products of “Kaspersky Lab” detect it as Trojan-Banker.Win32.NeutrinoPOS
MD5 of descripted file: 0CF70BCCFFD1D2B2C9D000DE496D34A1
The Trojan takes a long “sleep” before it starts. It seems that such code was added to fool some AV sandboxes. To determine the period of delay, the Trojan uses a pseudorandom number generator.
At the next stage, the Trojan extracts a C&C-address list from its body. The list is encoded at Base64. After decoding, the Trojan tries to find a working C&C, using the following algorithm:
Sends POST-request to server, passing through its body encoding in base64 string “enter” (ZW50ZXI=). All encoded strings contains prefix “_wv=”
Working server responds with 404 page, which contains at the end of it encoded string c3VjY2Vzcw== (success). In case of “success”, the rTojan marks the address of the used servers as working.
We should also notice that in the header of each POST-request there is “auth” field, which stays the same for each sample from family NeutrinoPOS.
Restored code of C&C-server check
The C&C address stored at registry branch HKCR\Sofrware\alFSVWJBis the same as other variables and data usedby NeutrinoPOS sample. Branch name differs from the one described here, but after full comparison of both samples, we can claim that both samples are the same modification of Neutrino.
The described variant contains listed functions:
Download and start file;
Search process by name;
Change register branches;
Search file by name on infected host and send it to C&C;
The server sends commands in plain view, like “PROXY”, “screenshot” and so on, encoded in base64. Following analysis we can claim that in the current versions of Neutrino there is no functions for DDOS attacks.
Implementation of command control sum calculating
Examples of few commands (marked with red line on screenshot above):
Rolxor(“PROXY”) = 0xA53EC5C
Rolxor(“screenshot”) = 0xD9FA0E3
NeutrinoPOS command handler
Stealing of credit cards
The algorithm for stealing credit card information is implemented in the Trojan in quite a simple way and described as follows:
The Trojans start to work through currently running processes, using CreateToolhelp32Snapshot\ Process32FirstW\Process32NextW.
Using OpenProcess\VirtualQuery\ReadProcessMemory, the Trojan gets information about the memory pages of the process.
The Trojan scans the memory pages for string “Track1”, which marks fields of the first track of the magnetic card. All described fields going one by one:
Sequence of symbols in range from ‘0’ to ‘9’ with length equal to 15, 16 or 19. Sequence checking with Luhn algorithm.
Check presence of separation symbol ‘^’ in next and previous fields.
Extract card holder name, with max length, basing on ISO/IEC 7813, equal to 26 symbols:
Rest data (CVC32, expiration date, CVV) extracts as whole block, with check of length and content :
Collected data sends to server with mark “Track1”.
After that, the Trojan starts to extracts next fields with mark “Track2” at the beginning:
At firsts, it extracts PAN with the same checks as on the previous stage.
As separation symbol using ” ‘ ” or ‘D’
Track2 doesn’t contains card holder name — rest data extracts as whole block
Collected data sent to server with mark “Track2”
The largest areas of infection are Russia and Kazakhstan. Nearly 10% of infected computers belong to small business corporate customers.
As we can see from the described Trojan Neutrino, despite belonging to an old, well-known and researched family, it continues to bring various surprises to malware analysts and researchers in the form of atypical functionality or application. We can see the same situation with Mirai forks, for example, which generate an enormous count across all platforms and in different species
Generally speaking, all publications of malware source code with good architecture and various functionality will cause interest and attention from malware authors, who will try to use it for nearly all possible ways of illegal money gain. We can assume that right now there may already be new modifications of Neutrino with functionality for crypto-currency mining.